MSBlast epidemic far larger than believed

New data from Microsoft suggests that at least 8 million
Windows computers have been infected by the MSBlast, or Blaster, worm
since last August--many times more than previously thought.

The latest data comes from the software giant's ability to track the
usage of an online tool that its engineers created to clean systems infected with the worm. Since the January release of the tool, more than 16 million of the systems that

Get Up to Speed on...Enterprise securityGet the latest headlines andcompany-specific news in ourexpanded GUTS section.

connected to Microsoft's Windows
Update service were found to be infected with MSBlast and were offered a patch and the use of the disinfecting tool, the software giant told CNET News.com. During the same period,
about 8 million systems actually called on Update to patch them and prevent reinfection and used the special tool to remove the worm.

Though Microsoft believes the total number of users infected by the worm is likely closer to the higher, 16 million, tally, the 8 million figure may provide a more solid indication of the minimum number of systems hit. The larger number may include systems counted more than
once, as busy computers users declined to deal with the worm immediately, or canceled the process once it had begun, only to return to Windows Update later. Once those systems were disinfected and patched, however, they would not be re-counted. Microsoft did not track what systems, specifically, used the tool, just that it was used.

Late last year, "we knew we were getting reports from customers saying
that they were still seeing symptoms of Blaster," said Stephen Toulouse, security program manager for Microsoft's security response center. "Our Internet service provider partners were seeing a lot of Blaster traffic on their networks as well."

The tool has also given Microsoft an invaluable data point to quantify
the threat of such Internet worms.

Already, the size of the digital epidemic far exceeds the estimates of researchers who have tracked the worm since it first started spreading, on Aug. 11. Typically, researchers try to estimate the size of a worm epidemic by collecting data from the records of network devices, such as firewalls and intrusion detection systems. By aggregating the information from the devices, researchers can count the number of Internet addresses from which a worm, such as MSBlast, is trying to spread.

Most Internet security organizations had believed that at most 500,000
systems had been compromised by the self-propagating program.

"I don't doubt (the new) number," said Johannes Ullrich, chief
technology officer for the Internet Storm Center, which collects
firewall logs from thousands of volunteers in order to gauge which
digital threats are spreading on the Internet. Using the voluntarily
submitted records, the Internet Storm Center had tallied enough Internet addresses to estimate that between 200,000 and 500,000 computers had been infected by the worm.

Another threat tracker, security company Symantec, has agreements with
the owners of some 20,000 network devices to use their records for
analysis. The company crunches the numbers to keep track of threats on
the Internet, and though it stopped counting once the MSBlast worm
spread to more than 40,000 computers, Symantec estimated that "a couple hundred thousand" systems may have been compromised, said Alfred Huger, senior director of engineering for the company.

"I am surprised by (Microsoft's) number," he said. "However, I can't
contest it; they have the best insight. We certainly see Blaster out
there in spades."

A survey of 2,000 computers completed by Symantec found that, on average, a system will receive a network packet from a MSBlast-infected computer within one second of connecting to the Internet. Such tenacious spreading is part of the reason Symantec
waited until February, five months after MSBlast started spreading, to reduce its threat rating of the worm from a three to a two on its five-point scale.

The wide gap between previous estimates and the latest data calls into
question Internet researchers' ability to accurately gauge the spread of computer worms.

The Internet Storm Center's Ullrich stressed that counts based on
network sensors only see the data that goes outside a company's firewall. Many companies block the data that the MSBlast worm uses to
spread. Moreover, many Internet service providers also blocked the data, further reducing the apparent number of infected systems on the
Internet.

"Sure we missed some of them," Ullrich said. "The biggest discrepancy is likely in the large corporate networks."

Microsoft's Toulouse has confidence that the software giant's data is correct. Windows Update patches the vulnerability that allows the MSBlast to spread, but before January, it didn't eradicate the worm from the compromised system. That behavior resulted in many users having their systems patched after the worm successfully infected their computers. That prompted Microsoft to create the tool to clean those Windows systems.

"They were protected from being re-infected, but they had already been
infected," he said. "The tool doesn't even get offered to (users), unless they had (the patches) installed and we detected the existence of Blaster on their computer."

Security researchers still weren't ready on Friday to put complete faith in the new numbers. They seemingly needed time to acclimate to a new reality where a single worm or virus could threaten millions of computers.